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Abstract. For an elliptic curve E over any field K, the Weil pairing e n is 
a bilinear map on n-torsion. For K of characteristic p > 0, the map e n is 
degenerate if and only if n is divisible by p. In this paper, we consider E 
over the dual numbers K[e] and define a non-degenerate "Weil pairing on p- 
torsion" which shares many of the same properties of the Weil pairing. We also 
show that the discrete logarithm attacks on p-torsion subgroups of Semaev and 
Ruck may be viewed as Weil-pairing-based attacks, just like the MOV attack. 
Finally, we describe an attack on the discrete logarithm problem on anomalous 
curves, analogous to that of Smart, using a lift of E over Fp[e]. 

1. Introduction 

Let E be an ordinary elliptic curve over K, an algebraically closed field of char- 
acteristic p > 0. For n relatively prime to p, the Weil pairing is a bilinear, non- 
degenerate map 

e„ : E[n] x E[n] -> fx n (K) 

where E[n] ~ Z/nZ x Z/nZ is the n-torsion subgroup of E and fi n (K) is the group 
of n th roots of unity of K. The Weil pairing is a useful tool in both the theory and 
application of elliptic curves. 

For p\n, however, the Weil pairing is degenerate. This is true for two reasons: 
K contains no non-trivial p th roots of unity and E[p] ~ Z/pZ. Each of these facts 
implies that e p (P, Q) — 1 for all P,Q G E[p\. (The second implies degeneracy since 
the Weil pairing satisfies the property that e n (P, P) = 1.) 

In this paper, we remedy this situation by considering E over the ring of dual 
numbers K[e). Through this deformation of K, we find substitutes for the "missing" 
geometric points and therefore are able to define a non-degenerate "Weil pairing" 
for n — p. In the process, we demonstrate that the discrete logarithm attacks 
on p-torsion subgroups of [5] and [6] are essentially Weil-pairing-based attacks, no 
different than the MOV attacks on n-torsion subgroups for (n,p) = 1. 

In section [2.11 we give an introduction to elliptic curves over the dual numbers. 
In sections 12.21 and [2T3l we recall Miller's algorithm for computing the Weil pairing 
and Semaev's algorithm for solving the discrete log problem (DLP) on p-subgroups 
of elliptic curves. In sections [3] and HI we define the "Weil pairing on p-torsion" e p 
over the dual numbers, show its direct relation to Semaev's algorithm, and prove 
that it satisfies the basic properties of the Weil pairing. We also describe how e p 
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can be used to solve the DLP on p-torsion subgroups of an elliptic curve. In section 
we give a simple way to compute the pairing using the algorithm of Ruck defined 
in [5]. In section [51 we describe how the map e p behaves with respect to isogenies 
of elliptic curves. In the last section, we give another application of elliptic curves 
over the dual numbers, namely a DLP attack on anomalous curves, analogous to 
that of Smart in [9] . 

2. Preliminaries 

2.1. Elliptic Curves over the Dual Numbers. The ring of dual numbers 

of the ring R is R[x]/(x 2 ), denoted R[e] with e 2 = 0. Considering elliptic curves 
over the dual numbers was proposed in |10j , where Virat introduced a cryptosystem 
based on elliptic curves over F g [e], the dual numbers of ¥ q . 

Let K be an algebraically closed field of characteristic p ^ 0, 2, 3. Let E be 
the elliptic curve over K given by the Weierstrass equation y 2 — x 3 + Ax + B. 
Let A = A + A\t and B = B + Bie, for some Ai,Bi £ K. We call the curve 
y 2 = x 3 + Ax + B a lift of E to K[e], and denote it as E. 

The set of points E(K[e\) consists of two sets: 

• Affine Points: P = (xq + X\t : yo + y\t : 1) such that 

(x , y ) 6 E(K) and (2y ) yi = (3x 2 + A)x± + A lXo + B x . (1) 

• Points at Infinity: Ok = (ke : 1 : 0) for all k G K. 

Let O denote the set {Ok\k £ K} and let P^ denote Oq. The standard addition 
law for elliptic curves may be extended to give an addition law on E(K[e\) (see |11) . 
p. 61). An easy calculation shows that 

K+ -» 9 
k >-> O k 

is an isomorphism. Thus, E(K[e\) contains the p-torsion subgroup O, and there is 
an exact sequence 

-> 6 -> E{K[e]) E{K) -> 0. 

If A = A and B = B,we call E the canonical lift of E, since the p-torsion points 
E[p] remain p-torsion points in E. (This terminology comes from the definition of 
the canonical lift of an elliptic curve to Q q .) For the remainder of the paper (except 
in Section [7]), we will assume we are in this situation. In this case, the sequence 
splits and every point of E may be decomposed as a point of E(K) and a point of 
infinity. A straightforward calculation using the addition laws gives the following 
lemma. (Note that Zx^+A ^ for points of order 2, since the curve is non-singular.) 

Lemma 2.1. Let P € E(K[e\) with P = (xq -\-x\e : yo + yi£ ■ 1). Then there exists 
a unique k 6 K such that P = P + Ok, with P — (xq : yo : 1) G E(K). Furthermore 

ft-/ - * lfV °^° 

Note that if y ^ 0, the point (x\,yi) lies on the line through the origin with 
slope 3X 2^~ Q A > which is precisely the tangent space of the elliptic curve point (xo, yo)- 
Thus points of E(K[e\) may be thought of as points ofE(K) with extra "derivative" 
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information. (In fact, the set of points of E(K[e]) may be naturally identified with 
the tangent bundle of the variety E.) 

The canonical lift E has p-torsion E[p] = E[p] © 9. Furthermore, p, p (K[e\) has 
non-trivial p th roots of unity, in particular the subgroup {1 + ae : a G A"}. Thus we 
will see that there is a non-degenerate "Weil pairing" on the p-torsion of E. Before 
we proceed we recall Miller's method of computing the Weil pairing. 

2.2. Miller's algorithm for computing the Weil pairing. Let (n,p) = 1. Let 
P,Q S E[n], and let Dp, Dq be divisors with disjoint support which sum to P, Q 
respectively. Let /p,/g be functions with divisors uDp,hDq respectively. The 
Weil pairing is defined as 

This definition is independent of the choices of divisors by Weil reciprocity. In 
[3], Miller gives a way to compute the value Jp(Dq). As this will be the foundation 
for the definition of the "Weil pairing on p-torsion," we recall the details here. 

Let P € E[n\. Choose any two points T,R £ E(K) such that the divisors 
Dp = (P + T) - (T) and D Q = (Q + R) - (R) are disjoint. Let f P be the function 
with divisor nDp. Note that this function is unique only up to a non-zero constant. 
Following 0], in such situations, we choose the unique function with the value 1 at 
Poo, which we call the normalized function. (Note that since we are calculating 
the ratio fp(Q + R)/ fp(R), such constants may in fact be disregarded.) 

Let fk denote the (normalized) function with 

div(/ fe ) = k(P + T) — k(T) - (kP + T) + (T). 

Note that div^) = 0, so /i = 1 . Also note that div(/p) = div(/„) and div(/ i+J ) = 
div(fifjhij) where 

divfoj) = j)P + T) + (iP + T) + (jP + T) - (T). 

Thus fp(Q) = fn(Q) can be calculated recursively by using an addition chain 
decomposition for n. 

An addition chain for a positive integer n is an increasing sequence of integers 
S C {1, ...,n} such that for each k S S with k > 1, there exist i,j G S such that 
i+j = k. Given an addition chain S, an addition chain decomposition C of 
n is a sequence of steps of the form (k i— > i, j) with i + j = k and i, j,k € S which 
decomposes n into the sum of n ones: 1 + ... + 1 . Note that any decomposition will 

n 

consist of exactly n — 1 steps. 

Thus, since fk(Q) = fi(Q)fj(Q)h>i,j(Q) an d /i = 1, f n (Q) will be the product 
of n — 1 contributions of the form hij(Q). For example, if n = 11 and S = 
{1, 2, 4, 8, 10, 11}, then one possible decomposition is 

fll = A/l0^140 — /l/2/8^1, 10^2,8 = ■•• = fx hl l loh2flh4,,4,h2 l 2hi l i- 

Given an addition chain decomposition C for n, we write Y\c hi,j(Q) to denote the 
value f n (Q)- Note that there always exists a decomposition with O(logn) distinct 

hi,j- 

Let iij denote the line through iP and jP, and let Vi denote the vertical line 
through iP. Note that 

div(4j) = (iP) + (JP) + (-(i+j)P) - 3Foo and div(^) = (iP) + (-iP) - 2Poo. 
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Let t denote translation by —T. Then 



I o t i + j ^ n, 

Kj = v ^ . , ( 2 ) 
I Vi o t i + j = n. 

As is remarked in [SJ, this calculation of fp{Q) may be interpreted as exponen- 
tiation in a generalized jacobian with modulus (Q + T) — (T). The hi_j are simply 
cocycle values. A good source for this viewpoint is pQ. 

2.3. Semaev's algorithm for solving the DLP on anomalous elliptic curves. 

Let K = W q be a finite field of characteristic p. In [5] , Semaev proposed a polyno- 
mial time algorithm for solving the DLP on elliptic curves over K which contain a 
point of order p, using the following map: 

A : E[p] -> K+ 
P -> §W 

Poo ^ 

where Dp is any divisor of degree which sums to P, fp is any function with 
div(/ P ) = pD P , and R G i?[p] with R^P X . Here / P denotes ^/p- 

To see how this map is used to solve the DLP, consider P, Q G E[p] with Q = nP. 
Using the standard logp addition chain decomposition, we can compute A(P), X(Q) 
in time O(logp), and then solve n\(P) — X(Q) for n G K + by Euclid's algorithm. 

Proposition 2.2. (Semaev, ^\) The map A is defined and non-zero for any R £ 
E[2\. Furthermore, A is an injective homomorphism with respect to P and is inde- 
pendent of the divisor Dp. 

This is proved explicitly in [6j and in fact, the proof holds for any algebraically 
closed field K of characteristic p > 0. The proposition also follows from considering 
the map: 



E\p] -> Pic%(E)\p\ n h K (E) £ dfo(dt) -> 

77 " 3t/F " d*7 



where Pic < j ( (E) is the group of divisor classes of -E of degree 0, H t ^(E) are the 
holomorphic differentials of the one-dimensional i4T(C)-vector space of differentials, 
£div(dt) is the one-dimensional _R"-vector space of functions g with div(gdt) > and 
t is a uniformizer for the point R. 

This is an injective homomorphism since p is an injective homomorphism (see 
[7]) and 5,?p,ip are isomorphisms. This is noted in [5], where the attack on the 
DLP is extended to the p-subgroup of the divisor class group of a curve of arbitrary 
genus. 

The computation method proposed in 6 is a variation on Miller's algorithm. 
Let T be a point of order two and let R G E[p\. Let /q be the function with 
div(/g) = Dq = (Q + T) — (T). As in section [2~2l the value of the function A may 
be computed by using an addition chain decomposition and summing contributions 

of the form ^j(R), where h i:j is as in Section O That is, fe(P) = J2c TTj( R )- 
(Remark: In [6] , the function l VtVj is used, which is equivalent up to constant since 
it has the same divisor.) 
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To compute h' = 4-h, we make use of the invariant differential property — or 



= . Let g be a function expanded in a power series around x. Then jot can be 
expanded in a series around iot with the same coefficients, and so 

djg o r) _ d(g o r) d(a o r) _ ^dg ^ r ^ yoT 
dx d(x o r) dx dx y 

Therefore, for h = f o r, h'(R) = g£"±p (i)'(.R + T). (Since T is order 2, transla- 
tion by T and — T are the same.) 

Remark: The choice of the divisor Dp = (P + T) — (T) avoids any possible 
zeros or undefined values when evaluating the lines through multiples of P at R, 
which is itself a multiple of P. Note that when p > 7, for a fixed point P, it is 
always possible to choose an R £ E[p] such that the lines in a logp addition chain 
decomposition will not have R as a zero. However, since the homomorphism A is 
not independent of R, in order to have it well-defined it is necessary to choose an 
evaluation point that works for all P, which explains Semaev's use of a translation 
point. 

As is the case for Miller's algorithm to compute the Weil pairing, this calcula- 
tion may be interpreted as exponentiation in a generalized jacobian, after a slight 
modification. Note that if we use the divisor Dp = (P) — (Poo), the hij are simply 
ratios of lines through multiples of P, and thus evaluating at R + T £ E[p] gives 

well-defined, non-zero values. In this case, we may calculate the value ^(R + T) 
using exponentiation in a generalized jacobian with modulus 2(R + T) for R £ E[p], 
with T of order 2. The value will differ from the value X(R) by the constant factor 
V(R + T)/ V (R). 

3. A "Weil pairing" on the p-torsion of E(K[e\) 

Let E denote E(K[e\), the canonical lift of E : y 2 = x 3 + Ax + B to K[e\. We 
define the pairing 

e p : E\p] x E\p] - Hp(K[e]) 

by first defining a bilinear map e on x 8, and then extending it to E [p] in such 
a way that the necessary properties hold. 

Let P G E[p] and let T be a point of order two. Consider the divisor Dp = 
(P + T) — (T). Let fp be the function on E with divisor pDp, unique up to a 
non-zero constant. We use the notation of section 12.21 Recall that to compute 
fp evaluated at a point Q, we choose an addition chain decomposition for p and 
compute the product of cocycle contributions of the form hij(P), where hij are 
ratios of lines translated by T. 

Any function in K(E) is a well-defined function on the affine points of ^(^[e]), 
provided that the denominator is invertible. We will see that this is true for hij 
on certain points of E, thereby making the computation of Y\ c h^j legitimate. 

Definition 3.1. Fix R G E[p] such that R £ E[2j. Let C be an addition chain 
decomposition for p. Define the map e : E[p] x0-> p p (K[e\) by 

hj,j (Ok+R) -f p IT) 

e(P,O k ) = t 11C V^Uk?^ 

] ' ifP = P 00 orO k = P 00 
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The proof of the following theorem is given in the next section. 

Theorem 3.2. The map e is well-defined and bilinear and independent of the 
addition chain decomposition of p. Furthermore, for any divisor Dp summing to 
P and any R E E(K), 

e(P,O k ) = l-2{y^)(R)ke, 

where fp is the normalized function with divisor pD p. 

We now may define the Weil pairing on p-torsion. Extend the map e to 
e p : E\p] x E]p] - li P {K[e\) 

such that 



e p (P, O k ) = e(P, O k ) for all P e E\p], 
e p {P,Q) = 1, for all P, Q E E\p], 
e p {O k , O s ) = 1, for all j, A; elf, 



• e p is bilinear, 



• e p is anti-symmetric: e(P,Q) — e(Q,P) . 

Theorem 3.3. The map e p is non-degenerate. That is, if e p (P,Q) = 1 for all 
P E E[p], then Q — and if e p (P, Q) — 1 for all Q E E[p], then P — Poo. 

The proof of this theorem is given in the next section. 

Remark: Note that we are defining e p (P, Ok) to be the result of Miller's algorithm 
to compute 

fp(O k + R) 

fp(R) ■ 

This definition can thus be viewed as the analog of the Weil pairing definition for 
n prime to p: 

e n (PQ)- fp{R) fQ(p + R y 

Recall that Miller's algorithm computes the value of /q as the product of ratios 
of lines through multiples of the point Q. For Q = Ok, this involves products of 
lines through points at infinity (which would then be evaluated at affine points of 
E(K)). Assuming such a line has the form i — with t{x, y, z) = ax + by + cz and 
a,b,c € K[e], there is not a unique choice for such a line. For example, any line of 
the form aex + cz, for a € K, c £ K [e], passes through the points Ok, Oj. We make 
the choice of the line I — cz. When evaluated at affine points, this becomes the 
constant function c which normalized is just 1. The value of j^rp+m for Q = Ok 
may therefore naturally be considered to be 1. 

We now show how the Weil pairing e p can be used to solve the DLP on p- 
subgroups of elliptic curves over ¥ q . Given P,Q E E[p] with Q = nP, calculate 
e p (P,Oi) = 1 + ae and e p (Q,Oi) = 1 + be. Since e p is bilinear, e p (Q,Oi) — 
e p (P, Oi) n = (1 + ae) n = 1 + nae. Thus it suffices to solve the equation b = na in 
for n € Z/pZ by computing the multiplicative inverse of a. By Theorem 13. 2[ 
for R E E\p], this process is essentially Semaev's algorithm to solve the DLP in 
p-subgroups. Therefore, we see that Semaev's algorithm may be interpreted as a 
Weil-pairing based attack. 
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4. Proof of properties of the pairing 

To show that e is well-defined and bilinear, we relate its calculation to the map 
A from section |2~U1 For this, we need the following lemma. 

Lemma 4.1. Let £ij denote the line through iP and jP, and let Vi denote the 
vertical line through iP . Let r denote translation by — T and let 

OT l + J p, 



hi j — 



Vi+j 

Vi O T 



- 3 =P- 



Let R e E\p] with R^ P^. Then 

hi,j(O k + R) 
hij{R) 



l-2y(R)^(R)ke. 



Proof: We first show that 

h id (O k +R) = h itj {R) - 2y(R)h' lJ (R)e. 

We can think of this as analogous to the calculus approximation of f{xo + e) by the 
value f(x ) + f(x )e. 

Let S = R + T = (xo,yo)- Assume i + j ^ p. Fix i, j and let hi j = h = ^ o r. 
Since we are evaluating hi j at affine points, we have I = y — mx — b and v = x — c 
for some m, b, c G K . 

Since v is a line through a multiple of P, and S ^ E[p], we see that Xq — c ^= 0. 
Thus h(R) — f;{S) is well-defined. Furthermore, since Ok + S = (x — 2y ke : 
yo — (3xq + A)ke : 1), the denominator of h(O k + R) is invertible, and thus the value 
h{O k + R) is well-defined. Then 



h(O k +R) = 



(yo - mxo - b) + (2y m - (3x1 + A))ke j (x - c) - 2y kt 
(y - mx - b) + (2y m - (3x§ + A))ke (x - c)" 1 + (x - c)~ 2 2y { 



h(R) + (2y m - (3x 2 + A))(x - c)" 1 + h(R){x - c)- l 2y 



fee. 



Recall from section O that h'(R) = #j|(f /OS)- Since v' = 1 and l'(S) 



m, we have 
h'(R) 



3xg+A 
2yo 



((3^ + A - 2y m){x - c)" 1 - 2y h(R)(x - c)" 1 ) 



MR) 



and therefore h(O k + R) = h(R) - 2y(R)h'(R)ke. 

For i + j = p, we have h — v o r and h'(R) = by the equation in Section 
1231 Then 

h(O k + R) = vo r(O fe + R) = v{O k + S) = (x Q - c) - 2y ke = h{R) - 2y(R)h' (R)ke. 

It remains to show that h(R) ^ 0. The fact that R £ E[p] implies that S is not a 
zero of the line described by I or v. Therefore, in both cases, h(R) ^ 0, and the 
result follows. □ 



Now we can prove Theorem 13.21 and 13.31 
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Proof (Thm. I3.2[) : Fix P, Ok and an addition chain decomposition C for p. 
Note that by Lemma 14.14 e(P, 0fe) is well-defined. Let fp be the function with 
divisor pD P for D P = (P + T) - (T). Let R € E[p] with A ^ Then = 

Ecfe(*)- We have 

e(P,O k ) = nc^g^T 1 

= Y\ c (l-2y{R) } ^{R)ke) 

2y(i?)(Ecfew)^ 

l-2y(A)g§fce. 

Note that = A(A), where A is the homomorphism with respect to P from 

section I2T51 Thus since e(P, Ofc) = 1 — 2k(y^)(R)e, the map e is linear in the first 
coordinate. Furthermore, since Ok + Oj = Ok+j, we have that e is linear in the 
second coordinate. Therefore, e is bilinear. Since £ ^ is independent of addition 
chain decomposition, so is the value of e. 

As shown in [6 , div(jA) = div(i), thus yj^ is a constant function on E(K). 

For A 6 J5[p], we've just seen that e(P, £>&) = 1 - 2(y^)(A)fce. Therefore 



e(P,0 fe ) = l-2fc(^j(A)e 

f' 

for all A, and thus e is independent of R. Furthermore, since is independent 
of the divisor for P, as shown in [6], the value of e is independent of choice of the 
divisor for P. □ 

Proof (Thm. HO]) : Let P e E(K[e])[p]. We show that if P ^ then there 
exists Q G S(Jf[e])[p] such that e p (P,Q) ^ 1. This shows non-degeneracy in 
the first coordinate, and by the property of anti-symmetry, non-degeneracy in the 
second coordinate will follow. 

By Lemma |2~T1 P may be written as P + Ok for P e A(A) and fc 6 A". If 
P ^ Poo, let Q = O x . Then e p (P,Q) = e p (P 0; 0i)e p (0 fe) d) - e p (P o ,0i). Let 
A G E[p] with A 7^ Poo. By Proposition 12. 2[ jf(R) is non-zero. Therefore, since 

e p (P , Oi) = 1 - 2(yj|)(A)e and A g A[2], we have that e p (P, Q) ^ 1. 

If P = Poo, then 0, since P f P^. Let Q, A € J5[p] with Q, A ^ Poo- Then 
e p (P, Q) = e p (O k , Q) = 1 + 2{y f f-){R)ke. Since fc ^ and A ^ A[2], we have that 
e p (P Q) 7^ 1, as desired. □ 

5. Ruck's algorithm for solving the DLP on ^-torsion 
Recall the homomorphism from Section 12.31 

E[p] -> Pic° K (E)\p] -» -> £ di „ (dt) -» A+ 

Choosing the divisor Dp = (P) — (Poo) and evaluation point A = Poo, we may 
compute the value of ^j^-(R) by simply summing the slopes of lines through 
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multiples of P for any addition chain decomposition. This fact is noted in [3], 
where it is referred to as the "Ruck algorithm," and a slight variation is found in 
|12j . In [5], Ruck refers to the result of this algorithm as "the additive version of 
the Tate pairing." We make this remark explicit by relating the algorithm to the 
pairing of E[p] and O which we've defined. 

Proposition 5.1. Let rriij be the slope of the line through iP and jP , and let C 

be an addition chain decomposition for p. Then 



e(P,O k ) = l+[j2 



rru 

c 



fee. 



Proof: As e is independent of divisor and evaluation point, we may choose the 
divisor Dp = (P) — (Poo) and evaluation point R — F^. This means we must 
calculate 

f'p 



e(P,O k ) = l-2[y^j(P 00 )ke. 

Since we evaluate at P OQ1 we want to expand functions around the uniformizer 
for Poo, namely i = — s. Using the fact that ^ = x + ^ x s~ 2B , we are looking to 
compute 

dfp/dt x 3 + Ax + 2B 

fp y 2 

Recall that x and y have poles at Poo of order 2 and 3, respectively. In particular, 
x = £ + 0(f) and y = - £ + 0(t) (0, p. 113). Thus ^+ A 7+ 2B = -1 + 0(t), and 
hence this contributes a factor of —1 when we evaluate at P^ . 

dfp/dt 



We now focus on computing ^ (Poo)- Since Dp = (P) — (Poo), this reduces 

CO 

that 



to computing dh ^ J ( dt where hij is defined as in section [2731 In particular, we show 



For i + j ^ p, 



Thus 



dhij/dt J — j — + 0(t) if i + j ^ p, 
h,j = i-f + 0(t) iii + j=p 



£ y — mx — b 1 
hi j = — = '- = m + Oil). 

v x - c t 



dh/dt 1 

= m + 0(t). 



(3) 



h t 

For i + j = p, hij = v. Expanding v around t, we get v = x — c = is — c + 0(t). 
Thus 

dv/dt 2 

— = -t + * , 

« f 

and ([3]) is proved. 

Note that using an addition chain decomposition for p to calculate fp will result 
in [p — 1) terms of the form hij with exactly one such that i + j = p. Thus the 
pole contributions of the hij total to zero in characteristic p and 

dfp/dt p 



m itj + 0(t) =-^2 m i-j + 0(t) 



f P t ^ 

J c c 



Evaluating at Poo yields the result. □ 
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Corollary 5.2. (Riick, f>J Let fp be any function with divisor p{P) — p{Poo) and 
let t = ——. Let rrii^j denote the slope of the line through iP and jP, and let C be 



v 

an addition chain decomposition for p. Then 

IP c 

6. The map e p and isogenies of E(K[e]) 

Let <p '■ E\ — > Ei be an isogeny between curves given by the Weierstrass form 
y 2 = x 3 + AiX + Bi. Let Ei denote the canonical lift of Ei, as defined in 12.11 In 
this section, we show how to extend ^ to a homomorphism <j) : E\ — > E2 in such a 
way that the following proposition holds: 

Proposition 6.1. For any isogeny <j> ; E\ — > E%, 

e p (0(P),0(Q)) = e p (P,Q) dc ^. 

As Ei ~ Ei® Qi, it suffices to define <j> : Oi — » 82 and then extend it linearly 
to a map <f> : E\ — > A2. Let a;,,yi denote the coordinate functions of Ei, and let 
ti = — Si be a uniformizer at Pio\ the point at infinity of A^. Let to G A" be such 
that t% o 4> = rnt\ + 0(t\). (To obtain the value m, expand x\ and y\ around t\ 
and use the fact that x 2 and y 2 are rational functions of x\ and y\ to obtain £2 4> 
as a function of t\ .) 

Definition 6.2. For <f> : E x -> E 2 , define <j> : Gi -> 6 2 6y 0(O fe ) = O ro fe. 

First note that </> : 0i — > O2 is a homomorphism with respect to this definition. 
Furthermore, it is compatible with composition of isogenies. That is, if <f> : E\ — ► E% 
and -0 : A 2 — > A3, are isogenies, then (rjj o </>)(0 fe ) = ^p{<j){Ok))- This follows 
from the fact that if t 2 ° = miii + O(if) and t^ o ip — m 2 t 2 + then 
*3 o (*0 o 0) = (miTO 2 )ti + 0(if ). 

The motivation for the definition is as follows. If inseparable, then <j) — <j) s ott t , 
where S is separable and the degree of inseparability of <f> is p r . The map it : 
(x : y : z) 1— » (x p : y p : z p ) is well-defined on the points of A(A[e]), and clearly 
(ke : 1 : 0) & (0 : 1 : 0). Thus we should define (f>(G k ) = Poo- (Note that this 
agrees with the idea that 8 is acting as the replacement for the "missing" geometric 
points of p-torsion, the "kernel of Frobenius." ) But to = if <f> is inseparable, since 
the order of t 2 o <f> at P^} is equal to the degree of inseparability ([§], p. 76), so 

<f>(O k ) =O m k = Ai 2) . 

Now consider <p separable. Then t 2 ° <f> is a uniformizer for Pst\ so to 7^ 0. 
Suppose we want </>(0fc) = Oj, for some j G K. Since i 2 o <fi{Ok) = t 2 ((je : 1 : 0)) = 
— je and (mt\ + 0(t 2 ))(Ok) = —mke, it makes sense to define j = mk. 

Next we extend the isogeny 4> : E\ — > A2 to the affine points of A(A[e]). 

Definition 6.3. Let P be a lift of an affine point P G Ei(K). Let T G E\{K) with 
T £ ker0. Let t denote translation and let <f>T — T <j>(— T) 4> T T- Define 



HP) 



j<t>(P) if P^kcr, 
\(h(P) ifPekeTt 
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Note that this definition is independent of T. That is, for T,T' £ ker</>, we 
have 4>t{P) — 4>T'(P) for all P £ ker</>. Furthermore, 4>t(P) = 4>{P) f° r au 
P £ Ei(K[e]) for which both isogenies are defined. This follows from the fact that 
(j> is a homomorphism (see Proposition 16 .41 below) . 

We need to establish that this definition yields well-defined points in E2(K[e]). 
First note that any isogeny <f> can be written as <j)(x,y) = (r(x), ys(x))) where r,s 
are rational functions of x ([11]. p. 47). Thus, we can evaluate on affine points 
P = (xq + x\ke : y + yike : 1) £ E{K[e\) provided that the denominators of r 
and s are invertible when evaluated at P. This will be the case for all P such that 
P = (xo, yo ) is not a kernel point of cj>. 

Note that (f>(P) is in fact a point of E 2 (K[e]). For all x, y £ E X {K), 

y 2 s(x) 2 =r{xf +A 2 r(x)+B 2 . (4) 

Therefore, for all a; S if, we have 

(x 3 + A x x + Si)s(x) 2 = r(a;) 3 + A 2 r{x) + B 2 . (5) 

This is an identity in the function field K{x). Let P — (x,y) G Ei(K[e]). Then x 
satisfies ([5]) and since y 2 = x 3 +v4 1 a;+i?i, we have that (x, y) satisfies (U). Therefore 
<f>(P)eE 2 (K[e})._ 

Now consider P such that P £ ker tfi. If P ^ and P ^ P, then t^^t) °4>°tt 
is well-defined on these P and yields a point of E 2 (K[e\), since translation by P is 
a map of the curve to itself. 

Combining definitions 16.21 and 16.31 we can extend <p to the map <p : E\ ^ E 2 , 
which we show is a homomorphism. 

Proposition 6.4. Let P,Q £ ^(^[e]). Then 

0(P) + 0(Q) = 0(P + Q). 

Proof: By Lemma HOI any point of Ei(K[e\) decomposes as a point of E\(K) and 
G. Thus, since <f> is homomorphism of each of these groups, it suffices to show that 

4>(p) + 4>(O k ) = 4>(P), (6) 

where P = P + G k . 

Consider P = (xq, yo) with P ^ ker tfi. Then we have P = {xq + x\ke, yo + yike), 
where x\ — —2yo and y\ = — (3xq + A). 
Suppose that t 2 o tj> = mt\ + 0(t 2 ). Then 

4>{x ,yo) + 4>(O k ) = (r(x ),y s(x )) + (mke : 1 : 0) 

= (r{x ) - 2yos(x )(mk)e : y a s{x ) - (3r(x ) 2 + A 2 )(mk)e : lj 

On the other hand we have 

4>((x a + x\ke, y + yike)) = (r(x Q ) + r'(x )xike, y s(x ) + (y s'(x a )xi + yis(x ))ke) 

Now suppose further that P ^ E[2]. Since the point satisfies the Weierstrass 
equation of E 2 , the ratio of the e-coefficients of the coordinates equals 3r 2 yf 2 by 
Lemma 12.11 Thus it suffices to verify that the e-coefficients of the x-coordinates 
agree. Since x x — —2y , this reduces to showing that s(xo)m = ^(xq), or equiva- 
lently, that uj 2 o<f) = m-u>i, where u>i — ^ i = (l+0(ti))dti is an invariant differential 
of Ei. Expanding lo 2 o <f> around t\ and using the fact that t 2 o cfj = mti + 0(t 2 ), we 
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have that W2°<^ = {m+0(ti))dti. Thus (-Poo) = m - Since L02°4> and w are both 
invariant differentials, this is a constant function and (J6j) holds for P ^ ker <^>U.E[2]. 
Using the equivalence of the e-coefhcients of the y-coordinates, we have that 

(3r(x) 2 + A 2 )m = (3x 2 + A 1 )a(x) 

for infinitely many x G K, and therefore this is an identity in K{x). Thus, for 
P e E[2], (3r(x ) 2 + A 2 )m = (3acg + Ai)s(xo), and © holds for points of order 
two. 

Finally, for P G ker0, choose T £ ker</>. By Definition [Ql and ©, 4>(P + O k ) = 
MP+O k ) = ^{P + O k + T) + 4>{-T) = 4>{P + T) + cp{O k ) + <i>(-T) = ^P) + <f>(O k ). 
Therefore, © holds for all P G E{K), and is a homomorphism. □ 

Lemma 6.5. Let <f> : E\ — > E 2 be an isogeny with t 2 o <f> = mti + 0(i?) /or m G if. 
T/ien 

e(0(P),O mfe ) = e(P,O fc ) dos *. 

Proof: If is inseparable, then the degree of inseparability is q = p r for some 
r > and thus p divides deg</). Furthermore, to = since the order of t 2 ° 4> at 
Pi 1} is the degree of inseparability. So both e(P,O fc ) dcg0 and e(<f>(P),O k ) m equal 
1, and the result holds. 

Now assume <fi is separable, which implies that to ^ 0. By the proof of Proposi- 
tion [5TTJ it suffices to show that 

^^) = (deg^(P«). 

Let ker0 = {R\, ...R s }. Since div(/p 2 ) = p(P 2 ) — p{Poo) and <^> is separable, 
div(/ P2 o 0) = J2UiP(Pi + Ri) - P(Ri)- Let 9l = ■ Then div(/p 2 o 0) = 

E*=i P[( p i) - (Poo) +div( 5l )] = 2|=i div(/ Plff f ). Thus, up to a constant, /p 2 = 
/pi^dliLi 9i) p - Since the characteristic of K is p, 

d(f P2 o0) = (deg0)/ Pi c ^- 1 (d/p 1 )(n^) P - 

i=l 

Thus 

^(/P2 ° 0) /, ,,df Pl 

— — = (deg </>) — . (7) 

jp 2 ° M 

di_ 

dt"^~ d(to</>) ' 



Note that for any function g expanded around t, ^ o<f> = ? . Using this and 



(O, we have 



_ _ d(/p 2 Q0)/rf(t 2 o0) ^ p (l)^ 



= m (deg^) ^ff2^ (pW). 



From that — m 1 + 0(t±), we have 



m ^t i(p (2 )) = (deg0) £a^£i ( p(i) ); 

and the lemma is proved. □ 
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The proof of Proposition E3] is now immediate. From Lemma 16.51 and Definition 
16.21 we have 

e p (4>(P),4>{O k )) = e(4>(P),O mk ) = e p (P,O k ) dc ^. 
Thus, since e p is bilinear and <f> is a homomorphism, the proposition holds. 

7. Another application of elliptic curves over the dual numbers 

We have seen how the extension of the Weil pairing to p-torsion over the dual 
numbers directly leads to the previously defined maps of [5] and [6]. Though we 
have not gained any "new" information, we have shown that discrete logarithm 
attacks on p-torsion subgroups of [5] and [6] may be interpreted as Weil-pairing- 
based attacks, exactly the same as the MOV attack on prime-to-p torsion subgroups. 
In this section, we give another example of how looking at elliptic curves over the 
dual numbers may be a fruitful approach. 

The DLP attack on anomalous curves of Smart [9] involves working in E(Z/p 2 Z) 
where E is a non-canonical lift of E (meaning p-torsion points of E are no longer 
p-torsion when lifted to E). The attack involves lifting points P,Q e E[p) with 
Q = nP to £?(Z/p 2 Z), multiplying the points by p, and applying the map (x, y) i— > 
-. In this way, solving for n such that nP = Q reduces to solving an instance of 
the DLP in F+ . The fact that this map is a homomorphism may be shown via the 
p-adic elliptic logarithm (see [S], or [TT], p. 190). 

If we consider J3(F p [e]) instead, the attack works analogously, and the reasoning 
behind it is elementary. (In fact, the attack works for E(K[e\), where K is any field 
of characteristic p ^ 0, 2, 3.) Lift P, Q to P, Q e E(¥ p [e]). The points P, Q may 
no longer be dependent. However, since nP = Q E E(¥ p ), there exists R S 9 such 
that nP — Q = R. Since P,Q are points of p-torsion, pP,pQ g O. Thus we have 
the following equation in 9 

P (nP)-pQ=pR = P 00 . (8) 

Note that pP,pQ = P^ if and only if P and Q are p-torsion points in E. Thus if 
this is not the case, we can translate © to an instance of the DLP in F+ via the 
homomorphism (he : 1 : 0) i— > k and then solve for n. 

This version is more efficient, as computations in F p [e] are more straightforward 
than in Z/p 2 Z. It may present another advantage as well, related to the fact that 
the DLP attack requires that the lift of the curve over ¥ p be non-canonical. 

Let E be any lift of the curve E : y 2 = x 3 + Ax + B, with j-invariant j G ¥ p . 
Note that D = 4 A 3 + 27 B 2 ^ since E is non-singular. Define j(E) as the value 
—4^- — Since D ^ 0, the denominator is invertible, and hence j(E) £ F„[el. Let 

4A 3 +27B 2 ' j \ / pi i 

j denote the value j{E), and note that j = j mod e. The following proposition 
shows that j e ¥ p if and only if the elliptic curve E can be transformed to the 
"canonical lift" (as defined in Section |2~T|) by an invertible change of coordinates. 

Proposition 7.1. Let E be given by y 2 = x 3 + Ax + B. Let E be a lift of E to 
F p [e] with A = A + A\e, B = B + B\e, for A\,B\ € ¥ p . Then j E ¥ p if and only if 
there exists fj, = 1 + kt with k G ¥ p such that fj, 4 A — A and /j, e B = B. In this case, 
there exists a change of coordinates x i— > /x 2 x, y i— > \j?y taking E to E, where E is 
viewed as an elliptic curve over ¥ p [e] . 
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Proof: Assume there exists ji = 1 + kt, k G ¥ p with ^t A A — A and ft 6 B — B. Then 



J 4A 3 +27B 2 •>' 

For the other implication, assume j G F p . Then j = j and a calculation with 
the e-components yields 

!2A 2 AiD = 4A 3 (12A 2 A 1 + 56B5i). (9) 

To find fi = 1 + kt such that /j, 4 A — A and ft e B = B, we solve AkA = A\ and 
6kB = B\ simultaneously for k. If cither A or B is zero this is no problem. If 
A, B ^ 0, choose k e¥ p such that 4k A = Ai. Then © becomes 

l2A 2 (4kA)D = 4A 3 (12 A 2 (4k A) + 56££i) 

which simplifies to 6k(D ~ 4A 3 ) = 21BB\. This implies that B\ = 6kB, as desired. 
□ 

Thus if j G F p , the p-torsion of E lifts to p-torsion of E, and the DLP attack 
over the dual numbers fails. Calculations suggest that lifts with j G ¥ p are the 
only lifts of E for which p-torsion lifts to p-torsion. Presuming this, it is easy 
to avoid a lift to F p [e] for which P and Q are p-torsion simply by choosing a lift 
with j-invariant j ^ F p . This differs from the case of lifting to Z/p 2 Z, since (to 
the author's knowledge) there is no analogously simple way to determine from the 
j-invariant j G Z/p 2 Z whether or not the lift is canonical. 

References 

[1] Dechene, Isabelle, Arithmetic in generalized jacobians, Lecture Notes in Computer Science, 

ANTS VII, Vol 4076, pp. 421-435, 2006. 
[2] Frey, G. and Ruck, H., A remark concerning m- divisibility and the discrete logarithm in the 

divisor class group of curves, Mathematics of Computation, Vol 62, No 206, pp. 865-874, 

1994. 

[3] Kunihiro, N., Koyama, K., Two discrete log algorithms for super- anomalous elliptic curves 
and their applications, IEICE Trans. Fundamentals, Vol. E83-A, No 1, pp 10- 16, 2000. 

[4] Miller, V. The Weil pairing, and its efficient calculation, Journal of Cryptology, Vol 17, pp 
235-261, 2004. 

[5] Ruck, H. On the discrete logarithm in the divisor class group of curves, Mathematics of 

Computation, Vol 68, No 226, pp 805-806, 1999. 
[6] Semaev, LA. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic 

curve in characteristic p, Mathematics of Computation, 67:353-356,1998. 
[7] Serre, J-P. , Sur la topologie des varietes algebrigues en caracteristique p, in Oeuvres: collected 

papers, Vol 1 (1949-1959), Springer- Verlag, 1986, pp 501-530. 
[8] Silverman, J. The Arithmetic of Elliptic Curves, Springer- Verlag, 1986. 

[9] Smart, N. The discrete logarithm problem on elliptic curves of trace one, Journal of Cryp- 
tology, 12:193-196,1999. 

[10] Virat, M., A cryptosystem "a la" ElGamal on an elliptic curve over K[e], Proceedings of 
Western European Workshop on Research in Cryptography, pp 32-44, 2005. 

[11] Washington, L. Elliptic Curves: Number Theory and Cryptography, Chapman & Hall/CRC, 
2003. 

[12] Zhu, Y.F., Pei, D.Y., An algorithm for DLP on anomalous elliptic curves over V p , Science 
in China, Series A, Math, physics, astronomy, Vol 45, No 6, pp 773-777, 2002. 

University of Maryland, College Park 



